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Classically in combinatorics on words one studies unavoidable regularities that appear in sufficiently 
long strings of symbols over a fixed size alphabet. In this paper we take another viewpoint and focus 
on combinatorial properties of long words in which the number of occurrences of any symbol is 
restritced by a fixed constant. We then demonstrate the connection of these properties to constructing 
multicollision attacks on so called generalized iterated hash functions. 

1 Introduction 

In combinatorics on words, the theory of 'unavoidable regularities' usually concerns properties of long 
words over a fixed finite alphabet. Famous classical results in general combinatorics and algebra such 
as theorems of Ramsey, Shirshov and van der Waerden can then be straightforwardly exploited (El. 
0, [11], [12], |[T3l ). The theory can be applied in the study of finiteness conditions for semigroups 
and (through the concept of syntactic monoid) also in regular languages and finite automata. To give 
the reader a view of the traditional basic results in unavoidable regularities we list some of its most 
noteworthy achievements. 

Ramsey's Theorem immediately implies 

Theorem 1 (Repeated Patterns [2 |) For all positive integers m and n there exists a positive integer 
R(m,n) satisfying the following. Given an alphabet A and a partition {A,}™^ of A + into m sets, if 
w G A + is any word of length at least R(m, n), then w is in A*A"A* for some j G {1,2, ... , m}. 

Let A be an alphabet totally ordered by <. We extend the order < to the lexiographic order <i ex of 
A* as follows. For all u, v G A* : u <i ex v if either v G uA + or w = xay and v = xbz for some x,y,z£ A* and 
a, b G A for which a < b. 

Given a positive integer n, the word w G A* is n-divided if there exist words u,x\ ,X2, ■ ■ ■ ,x n ,v in A* 
such that w = ux\X2-- -x n v and 

W <l ex UX a (\)X a (2) ■ ■•X a („)V 

for any nontrivial permutation a : {1,2, ...,«} — ^ {1,2, ... ,n}. 

Theorem 2 (Shirshov |8, 9., 11210 Let A be an alphabet ofk symbols and p and n positive integers with 
p > In. There then exists a positive integer S(k,p,n) such that any word in A* of length at least S(k,p,n) 
either is n-divided or contains a pth power of a nonempty word of length at most n—1. 

Let w = a\a2 ■ -a m where a, G A for i = 1,2, .. . ,m. A cadence of w is any sequence (i'i,i'2,. • • ,i s ) of 
integers such that 

< i\ < 12 < • ■ ■ < i s and a,-, = a,- 2 = • • • = . 
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Here the number s is the order of the cadence. The cadence (1*1,12.5 • ••)**) is arithmetic if there exists a 
positive integer d such that ij = i\ + (j — \ )d for j = 1,2, . . . , J. 

The celebrated van der Waerden's theorem can be reformulated in words as follows. 

Theorem 3 (van der Waerden [8 , 9]) Let A be an alphabet ofk symbols and s a positive integer. There 
then exists a positive integer W(k,s) such that any word in A* of length at least W(k,s) possesses an 
arithmetic cadence of order s. 

Combinatorial problems are also encountered in information security, for example, when design- 
ing and investigating hash functions, techniques used in message authentication and digital signature 
schemes. A hash function of length n (where n G N+) is a mapping H : {0,1}* — > {0,1}". For com- 
puting resource reasons, practical hash functions are often iterative, i.e., they are based on some finite 
compression function and an initial hash value. For more details, see subsection 13. II 

An ideal hash function H : {0, 1}* — > {0, 1}" is a (variable input length) random oracle: for each 
x G {0, 1}*, the value H(x) G {0, 1}' ! is chosen uniformly at random. 

There are three main security properties that usually are required from a hash function H: collision 
resistance, preimage resistance, and second preimage resistance. 

Collision resistance: It is computationally infeasible to find x,x' G {0, 1}*, x 7^ x', such that H(jc) = 
H(x'). 

Preimage resistance: Given any y G {0, 1}", it is computationally infeasible to find x G {0, 1}* such 
thatH(x) =y. 

Second preimage resistance: Given any x G {0,1}*, it is computationally infeasible to find x' G 
{0,1}*, x/x', such that H(x) = H(x'). 

If we want to consider the resistance properties mathematically, the concept 'computationally infea- 
sible' should be rigorously defined. Then the security of H is compared to the security of a random 
oracle. 

We thus say that H is collision resistant (or possesses the collision resistance property) if to find 
x,x' G {0, 1}*, x / x', such that H(x) = H(x') is (approximately) as difficult as to find z,z' G {0, 1}*, z ^ z', 
such that G(z) = G'(z') for any random oracle hash function G of length n. 

The concepts of preimage resistance and second preimage resistance can be defined analogously. 

Given a set C C {0, 1}* of finite cardinality k > 1, we say that C is an k-collision on H if H(x) = H(x') 
for all x,x' G C. Any 2-collison is also called a collision (on H). 

The sharpened definitions allow us to define a fourth security property, the so called multicollision 
resistance: The hash function H is multicollision resistant if, for each k G N+, to find an &-collison on H 
is (approximately) as difficult as to find an &-collison on any random oracle hash function G of length n. 

Our conciderations are connected to multicollison resistance. Given a message x = X1X2 • • - x/ where 
x\ ,X2, . . . ,x/ are the (equally long) blocks of x, the value of a generalized iterated hash function on x is 
based on the values of a finite compression function on the message blocks xi,X2, . . . ,x/. A nonempty 
word a over the alphabet {1,2,...,/} may then tell us in which order and how many times each block x,- 
is expended by the compression function when producing the value of the respective generalized iterated 
hash function. Since the length of messages vary, we get to consider sequences of words CL\ , CC2, ■ ■ ■ in 
which, for each / G {1,2, . . .}, the word Ofy G {1,2, ... ,Z}* is related to messages with / blocks. Practical 
applications state one more limitation: given a message of any length, a fixed block is to be consumed 
by the compression function only a restricted number (q, say) of times when computing the generalized 
iterated hash function value. Thus in the sequence CL\ , OC2, . . . we assume that for each I G {1,2,...} and 
m G {1,2,. . . ,/}, the number |of/| m of occurrences of the symbol m in the word a/ is at most q. 
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What can be said about the general combinatorial properties of the word a/ when / grows? More 
generally: which kind of unavoidable regularities appear in sufficiently long words in which the number 
of occurrences of any symbol is bounded by a fixed constant? 

As is easy to imagine, the regularities in the words a/ weaken the respective generalized iterated 
hash function against multicollision attacks. This topic was first studied in (3j, see also Bl[T0l[Tll6ll7ll5ll. 
We shall present combinatorial results on words which imply that ^bounded generalized iterated hash 
functions are not multicollision resistant. 

We proceed in the following order. In the next section basic concepts are briefly given. In the 
third section we first introduce the basics of generalized iterated hash functions. The connection to 
combinatorics on words is then established. The fourth section contains the necessary combinatorial 
results. Finally, the last section contains conclusions and further research proposals. 

2 Preliminaries 

Let N = {0, 1,2, . . .} be the set of all natural numbers and N + = N \ {0}. For each finite set S, let \S\ be 
the cardinality of S that is to say, the number of elements in S. 

Let A be a finite alphabet and a G A + . The length of the word a is denoted by \a\; for each a G A, 
let \a\ a be the number of occurrences of the letter a in a, and let alph(a) denote the set of all letters 
occurring in a at least once. The empty word is denoted by e. A permutation of A is any word j8 G A + 
such that |j3| fl = 1 for each a G A. 

Let BCA. Then the projection morphism from A* into B* , denoted by IT^ is defined by Hg(b) = b 
if b G B and Ilg(fc) = e if b G A \ B. We write ITg instead of IT^ when A is understood. Define the word 
(gc)b as follows: (a)g = £ if 71b(cc) = e and (a)g = a\a 2 ■ ■ ■a s if Kb{(X) G a^a^ ■ --af, where s G N+, 
a\,a.2, ... ,a s G B, and a; / a i+ \ for i = 1,2, . .. , s— 1. 

3 Hash functions and collisions 

In this section we first present a compact lead-in to (generalized) iterated hash functions. Later we wish 
to point out how certain results in combinatorics on words are interconnected to successful multicollision 
construction on these type of hash functions. 

3.1 Introduction to (generalized) iterated hash functions 

Let m,n G N+ be such that m > n. Then H = {0, 1}" is the set of hash values (of length n) and B = 
{0, l} m ) is the set of message blocks (of length m). Any w G B + is a message. Given a mapping / : 
H x B — )• H, call / a compression function (of length n and block size m). 

Define the function f + :Hx B + — > H inductively as follows. For each h G H, b G B and x G B + , let 
f + (h,b) = f(h,b) and f + (h,bx) = f + (f(h,b),x). Note that /+ is nothing but an iterative generalization 
of the compression function /. 

Let I G N + and a be a nonempty word such that alph(a) C N/. Then a = i\ ii ■ ■ ■ i s , where s G N+ and 
ij G N/ for j = 1,2, ... ,s. Define the iterated compression function f a : H xB l — > H (based on a and f) 
by 

fa(hMb 2 ---bi) = f + {h,b h b h ---b is ) 
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for each h G H and b\,b2, • • • ,bi £6. Note that clearly a only declares how many times and in which 
order the message blocks b\,bi-, ■ ■■ ,b\ are used when creating the (hash) value f a {h,b\b% ...bi) of the 
message b\b%---bi. 

Given k G N + and ho G H, a k-collision (with initial value ho) in the iterated compression function 
f a is a set C C B 1 such that the following holds: 

1 . The cardinality of C is k; 

2. For all u,v G C we have f a (ho,u) = f a (ho, v); and 

3. For any pair of distinct messages u = u\wi---u\ and v = V1V2 ■ ■ • v/ in C such that it,-, v,- G B 
for / = 1,2,...,/, there exists 7 G {1,2,...,/} for which Uj / vy. 

For each j G N+, let now ctj G be such that alph(a ; ) = Ny. Denote a = (a\,a 2 ,- ■ • )■ Define the 
generalized iterated hash function (a gihf for short) E a j : H x B + — >• H (based on a and f) as follows: 
Given the initial value ho G H and the message x G 5 J , j G N+, let 

Ha,/(/io,^) = faj(ho,x) ■ 

Thus, given any message x of 7 blocks and hash value ho, to obtain the value E a ,f(ho,x), we just pick 
the word ay from the sequence a and compute f a (ho,x). For more details, see @ and 0. 

Rermark 1 A traditional iterated hash function H : fi + -4 // based on f (with initial value ho G H) can 
of course be defined by H(«) = f + (ho,u) for each u G B + . On the other hand H is a generalized iterated 
hash function E a j : H x B + — > H based on a and f where & = (1,1- 2, 1-2-3,...) and the initial value 
is fixed as ho- Note that almost all hash functions used nowadays in practise are of this form. 

Given k G N + and h$ G H, a k-collision in the generalized iterated hash function H a j (with initial 
value ho) is a set C of k messages such that for all w,v G C, \u\ = \v\ and E a j(ho,u) = E a j(ho,v). 
Now suppose that C is a /c-collision in K a j with initial value ho- Let / G N + be such that C C B l , i.e., 
the length in blocks of each message in C is /. Then, by definition, for each u,v G C, the equality 
f Ul (ho,u) = f a , (ho,v) holds. Since alph(a/) = N/ (and thus each symbol in N/ occurs in alph(a)), the set 
C is a ^-collision in f a , with initial value ho. Thus, a ^-collision in the generalized iterated hash function 
H& j necessarily by definition, is a ^-collision in the iterated compression function f a , for some / G N + . 

Now, in our security model, the attacker tries to find a /^-collision in K a ,f- We assume that the attacker 
knows how E a j depends on the respective compression function / (i.e., the attacker knows a), but sees 
/ only as a black box. She/he does not know anything about the internal structure of / and can only 
make queries (i.e., pairs (h,b) G H x B) on / and get the respective responses (values f(h,b) G H). 

We thus define the (message) complexity of a k-collision in E a j to be the expected number of queries 
on the compression function / that is needed to create a multicollision of size k in E a j with any initial 
value h G H. 

According to the (generalized) birthday paradox, a ^-collision for any compression function / of 
length n can be found (with probability approx. i) by hashing (fc!)*2 t messages [14] if we assume 
that there is no memory restrictions. Two remarks can be made immediately: 

• In the case k = 2 approximately \/2-2t. hashings (queries on f) are needed; intuitively many of us 
would expect the number to be around 2"~ 1 . 

• For each k in N+, finding a (k + 1) -collision consumes much more resources than finding a k- 
collision. 
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Of course, when attacking, for instance, against an iterated hash function based on a random oracle 
compression function of length n, the attacker needs a lot of computing power when n is large; to create 
a 2-collison requires approximately \/2 • 2§ queries on / and this is resource consuming. 

The paper [4] presents a clever way to find a 2 r -collision in the traditional iterated hash function H (see 
RemarkCD) for any r G N + . The attacker starts from the initial value ho and searches two distinct message 
blocks b\, b\ such that f(ho,b\) = f(ho,b[) and denotes hi = fQiQ,b\). By the birthday paradox, the 
expected number of queries on / is 522 , where d is approximately 2.5. Then, for each i = 2,3, . . . ,r— 1, 
the attacker continues by searching message blocks b, and b\ such that b{ ^ b\ and/(/2,_i,&,) = f(hi-i,b' { ) 
and and stating hi = f(h,--i,b,-). Now the set C = {b\,b\} x {b2,b' 2 } x • • • x {b r ,b' r } is 2 r -collision in H. 
The expected number of queries on / is clearly a r23 , i.e., the work the attacker is expected to do is only 
r times greater than the work she or he has to do to find a single 2-collision. The size of the multicollision 
grows exponentially while the need of resources increases linearly. 

The question arises whether or not the ideas of Joux can be applied in a more broad setting, i.e., can 
Joux's approach be used to multicollisions in certain generalized iterated hash functions? 

In the following we shall see that this indeed is possible. Call the sequence a = {a,\,Ota---) q- 
bounded, q G N + , if 1 0£y | < q for each j G N + and i G Ny. The gihf f is q-bounded if a is ^-bounded. 
Note that Joux's method is easy to apply to any 1 -bounded generalized iterated hash function. 

Is it possible to extend Joux's method furthermore to be adapted to ^-bounded gihfs, when q > 1? 
This question has been investigated first for 2-bounded gihfs in iflOl and then for any ^-bounded gihf 
in (3l (see also [6]). It turned out that it is possible to create 2'-collision in any ^-bounded gihf with 
0(g(n,q,r)22) queries on /, where g(n,q,r) is function of n,q and r which is polynomial with respect 
to n and r but double exponential with respect to q. 

The idea behind the successful construction of the attack is the fact that since a is ^-bounded, un- 
avoidable regularities start to appear in the word a/ of a when / is increased. More accurately, choosing 
I large enough, yet so that |alph(a/)| depends only polynomially on n and r (albeit double exponentially 
in q), a number p G {1,2, •••,<?} and a set A C alph(a/) of cardinality \A\ = n p ~ l rcm be found such that 
(PI) (Xi = /3i p2 • • • j3 p the word (j8;)a is a permutation of A for i = 1,2, . .. ,p; and 
(P2) for any i G {1,2,...,/? — 1}, if (jS,-)^ = Z\Zi- ■ -z n p-i r is a factorization of (/3,)a such that 
|alph(z ; )| = n'~ l for j = 1,2, . . . n p ~ l r and (j8 !+ i)a = u\Ui - ■ -u nP -M r is a factorization of 
(j8, + i)a such that |alph(w 7 )| = n' for j = 1,2, . . .n p ~' +l r, then for each j\ G {1,2,..., n p ~'r}, 
there exists j2 G {1,2, . . . , n p ~'~ l r} such that alph(z 7l ) Calph(wj 2 ). 

The property (PI) allows the attacker construct a 2 A -collision Ci in fp 1 with any initial value h Q 
so that the expected number of queries on / is <5(|/$i| 2?). The property (P2) ensures that based on the 
multicollision guaranteed by (PI), the attacker can proceed and, for i = 2, 3, . . . ,p, create a 2"'' r -collision 
Ci in /fi 1 fl 2 ...a so that the expected number of queries on / is a\fiip2 • • • A' 1 2 J • Thus finally a 2 r -collision 
of complexity a\a\ 2? in j is generated. 

Finally on the basis of the previous attack construction and (the future) Theorem[8l the following can 
be proved (121). 

Theorem 4 Let m, n and q be positive integers such that m> n and q > 1, / : {0, 1 }" x {0, 1 } m — > {0, 1 }" 
a compression function, and & = (0Ci, Ofy,. ■ .) a q-bounded sequence of words such that alph(ot/) = N/ 
for each I G N+. Then, for each r G N+, there exists a 2' -collision attack on the generalized iterated hash 
function K&j such that the expected number of queries on f is at most aqN(n^ q ~^ r 2q ~ 3 ,q)2?. 

Rermark 2 The inequality N(m,q) < m 2q ' (see Theorem^ implies that 

N(n^ 2 r^- 3 ,q) < ^9-1^ ^-3)^ _ 
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The results in Ifl4l imply that, given a random oracle hash function G of length 2", the expected 

2 r -l 

number of queries on G to find a 2''-collision is in 0(2"t^). 

Call a generalized iterated hash function bounded if it is ^-bounded for some q £ N+. 

Corollary 1 There does not exist a bounded generalized iterated hash function that is multicollision 
resistant. 

3.2 Essential combinatorial results 

We state a list of combinatorial results that imply Theorem [4] The main result in stated is the form of 
classical combinatorial theorems. For a proof, see 1151 . 

Theorem 5 For all positive integers m and q there exists a (minimal) positive integer N{m,q) such that 
if a is a word for which |alph(a)| > N(m,q) and \a\ a < qfor each a £ alph(a), there exist A C alph(a) 
with \A\ =m, and p £ {1,2, . . . ,q}, as well as words 0C\, O2, • • • , O p such that a = 0\02 • • • O p and for all 
i £ {1,2,..., p}, the word {of) a is a permutation of A. Moreover, for all m,q £ N + we have N(m,q + 1) < 
N{m 2 — m+ l,q). 

Rermark 3 Let m £ N + . In the case q = 2, the previous theorem gives us the boundary value N{m, 2) = 
m — m + 1. Let 

A = {aij\i= l,2,...,m-l, j= 1,2,... ,m} 
be an alphabet ofm{m—\) symbols. Let furthermore 

Yi — ^i,l^i,2 "■' ®i,m—l®i,tnfl'i,m—l®ijn— 2 ''" 

for i — 1,2, ... ,m — 1 and a = 71/2 • • • y m -\- It is quite straightforward to see that there does not exist an 
m-letter subalphabet of A such that either ( i) {o)a is a permutation of A or ( ii) there exists a factorization 
Of = Oti 0:2 such that {a\ )a and {02)a are both permutations of A. Thus N{m, 2) = m 2 — m + 1 for m £ N + . 

Suppose now that A and a = 0\02 ■ ■ • o p are as in Theorem |5l i.e., for all i £ {1,2, . . . ,p}, the word 
{o{)a is a permutation of A. To make our multicollision attack succeed, this is not yet sufficient. We need 
permutations j3i, ft, . . ., j3„ of an sufficiently large alphabet B such that when factoring /3,- = j3,i/3,2 • • • j3y ; . 
into di £ N + equal length factors for i = 1,2, ... ,p where dj divides dj + i and the following holds: for 
each i £ {1,2, ... ,p — 1} and j\ £ {1,2, .. . ,d,} there exists 72 £ {1,2, .. . such that alph (jS ; y, ) C 

alph(j8, + i ; - 2 ). Only then we can, starting from the first permutation (and the word Oi) roll on our attack 
well. Above the permutations j3i, ft, . . . , f$ p are induced by the words a\, 02, ■ ■ . , O p , respectively, when 
a is long enough (or equivalently, the alphabet alph((a) is sufficiently large). That these permutations 
always can be found, is verified in the following three combinatorial results. 

We wish to further study the mutual structure of permutations in long words guaranteed by Theo- 
rem [5] By increasing the length of the word a the permutations are forced to possess certain stronger 
structural properties. The motives are, besides our interest in combinatorics on words, in information 
security applications. The connection of the results to creating multicollisions on generalized iterated 
hash functions is more accurately, albeit informally, described in Section 5. 

As the first step of our reasoning we need an application of the famous Hall's Matching Theorem. 
For the proof, see [6j and 0. 

Theorem 6 (Partition Theorem) Let k £ N+ and A be a finite nonempty set such that k divides \A\. 
Furthermore, let {B,}f =1 and {Cj} k j =l be partitions of A such that \Bj\ = \Cj\ for i,j= 1,2, . . . ,k. Then 
for each x £ N + such that \A\ >k 3 -x, there exists a bijection o : {1,2, ... ,k} — > {1,2,... ,k}for which 
\Bi n Ca(i) I ^ x f or i = l,2,...,k. 
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The next theorem is also from (6|. It is an inductive generalization of Partition Theorem to different 
size of factorizations. For the proof, see S. 

Theorem 7 (Factorization Theorem) Let do,di ,0*2, ■ ■ ■ ,d r , where r G N + , be positive integers such that 
dj divides di-\ for i = 1,2, ... ,r, A an alphabet of cardinality \A\ = d§d\d\ ■■ -d 2 , and wi,W2, ■ ■ ■ ,w r+ \ 
permutations of A. Then there exists a subset B of A of cardinality \B\ = do such that the following 
conditions are satisfied. 

(1) For any i G {1,2, ...,r}, if Ksiyvi) = X\X2- ■ •x ( j j is the factorization of TZs^Wi) and 7Tb(>v, + i) = 
yiyi'^ydj is the factorization of TlB{ w i+\) into a\ equal length (= ^) blocks, then for each j G 
{1,2, ... ,d{}, there exists f G {1,2, ... ,dj} such that alph(x 7 ) = alph(^ ; /); and 

(2) Ifw r+ \ = u\Ui---Ud r is the factorization w r+ \ into d r equal length (= d§d\d\- ■ ■ d 2 _ x d r } blocks, 
then ^(hv+i) = Kb{ u i)^b( u 2) "'^B( u d r ) is the factorization of 7Tb(hy + i) into d r equal length 
(= J) blocks. 

In fact what we need in our considerations is the following 

Corollary 2 Let do,d and r be positive integers such that d divides do, A an alphabet of cardinality 
\A\ = dod 2r , and W\,W2, ■ ■ ■ ,w r+ \ permutations of A. Then there exists a subset B of A of cardinality 
\B\ = do satisfying the following. Let p,q G {1,2, ... ,r+ 1} and TIb{w p ) = x\X2 ■■■Xd the factorization of 
Kb(w p ) and 7iB{w q ) = y\y2 ■■■yd the factorization of 7Tb(w ? ) into d equal length (= blocks, then for 
each i G {1,2,... ,d}, there exists j G {1,2, ... ,d} such that alph(^;) = alph(yy). 

The last result of this section combines the main result of this section (Theorem [5]) to the previous 
combinatorial accomplishments. Theorem [8] is indispensable for the attack constrution in the end of 
Section EU 

Theorem 8 Let a be a word and k>2,n>\, and q > 2 integers such that 

(1) |alph(a)| >N(n ( i- 1 ') 2 k 2 i- 3 ,q); and 

(2) | OC \ a < q for each a G alph(a) . 

Then there exists B C alph(a), p G {1,2, . . . ,q} and a factorization a = OJiC^ • • • OCpfor which 

(3) \B\=nP- l k; 

(4) B C alph(ot,) and (oc,)g is a permutation of B for i= 1,2, .. . ,p; and 

(5) For any i G {1,2, ... ,p — 1}, if{ai)B = Z\Z2 • ■ 'Znr-'k i s the factorization ofof{ai)s into n p ~'k equal 
length (= n'~ l ) blocks and = u\U2 ■ ■ ■ u^-i-x^ the factorization of (Ofj+i)^ into n p ~'~ l equal 
length (= n') blocks, then for each j\ G {1,2, .. . ,n p ~'k}, there exists 72 G {1,2, ... , n p ~ l ~ y k} such 
that alph(z ;i ) C alph(« 7 - 2 ). 

4 Conclusion 

We have considered combinatorics on words from a fresh viewpoint which is induced by applications in 
information security Some small steps have already been taken in the new research frame. The results 
have been promising; they imply more efficient attacks on generalized iterated hash functions and, from 
their part, confirm the fact that the iterative structure possesses certain generic security weaknesses. 

Research Problem. Consider Theorem [5] The exact value of N(m,q) is known only in the cases m = 1, 
q = 1 and q = 2: Trivially N(l,q) = 1 and N(m, 1) = m, furthermore N(m, 2) = m 2 — m + \ (see Remark 
[3]). It is probable that in general the number N(m,q+ 1) is significantly smaller than N{m 2 — m+ l,q). 
Moreover, we have not evaluated N(m,q) from below at all. Find reasonable lower and upper bounds to 
N(m,q) for m > l,q > 2. 
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